AWS Amplify/amplify-js forgotPassword() returns no error with invalid userName

Question

I'm implementing authentication components with aws-amplify (Vue/TypeScript). Using forgotPassword(userName: string), I'm trying to send a verification code to the target email address. https://aws-amplify.github.io/amplify-js/api/classes/authclass.html#forgotpassword

import { Auth } from 'aws-amplify'
...
await Auth.forgotPassword(emailAddress)

However, with an invalid email address that is not one of the Cognito users, it returns this success message.

{"CodeDeliveryDetails":{"AttributeName":"email","DeliveryMedium":"EMAIL","Destination":"****@d***.com"}}

What I want is this.

{"__type":"UserNotFoundException","message":"Username/client id combination not found."}

I doubt mis-configuration on AWS Cognito, but cannot figure out what to change..

Answer 1

Visit Your User Pools

Go to App Client in left navigation Bar.

Then scroll down to Security configuration.

Do select Legacy under "Prevent User Existence Errors"

Note:- Default option is Enabled(Recommended). This default option is actual root cause.

Now when you enter wrong username [in my case email-id], It will throw the exception.

If you entered correct username [in my case email-id], Then it send verification code.

Answer 2

AWS Cognito: Managing error responses

When a user isn't found, is disabled, or doesn't have a mechanism to recover their password, Amazon Cognito returns CodeDeliveryDetails with a simulated delivery medium for a user. The simulated delivery medium is determined by the input user name format and verification settings of the user pool.

I need to check the Cognito configuration.

Answer 3

You can set Prevent User Existence Errors to legacy in app client setting. By doing this you will get the error if email does not exist in user pool.